I got a web application which I want to protect using apache authentication. I found out that it uses sha1+salt to store passwords. Since auth_mysql_module is deprecated I try to use authn_dbd_module. Currently I'm running debian wheezy. Here is how the web-app creates password-hashes:

<?php sha1($pw.$salt); ?>

try with php:


I can reproduce the hash using mysql:

SELECT SHA1(CONCAT(@pw, @salt));

try using mysql:

mysql> SELECT SHA1(CONCAT('password', 'salt'));
| SHA1(CONCAT('password', 'salt'))         |
| c88e9c67041a74e0357befdff93f87dde0904214 |

My apache site.conf:

    DBDriver mysql
    DBDParams "host=localhost user=<db_user> pass=<db_pass> dbname=<db_name>"

    <Directory /var/www/htdocs/>
       Options -Indexes
       Order allow,deny
       Allow from all

       AuthName "Please enter username and password"
       Authtype Basic
       require valid-user

       AuthBasicProvider dbd
       AuthDBDUserPWQuery "SELECT SHA1(CONCAT(password, salt)) AS password FROM users WHERE username = %s"


The AuthDBDUserPWQuery line obviously doesn't do the trick because it creates a new hash from (stored hash and salt) and compares it to the entered password. And Apache-log:

[Sat Aug 22 XX:XX:XX 2015] [error] [client 92.X.X.X] user myusername: authentication failure for "/": Password Mismatch

I know it is neither recommended to use sha1 nor short salt to store passwords. But anyhow: is there a way to make the authentication work?

